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Abstract 


This study carries forward the line of enquiry that seeks to char¬ 
acterize precisely which security policies are enforceable by runtime 
monitors. In this regard, Basin et al. recently refined the structure 
that helps distinguish between those actions that the monitor can 
potentially suppress or insert in the execution, from those that the 
monitor can only observe. In this paper, we generalize this model by 
organizing the universe of possible actions in a lattice that naturally 
corresponds to the levels of monitor control. We then delineate the 
set of properties that are enforceable under this paradigm and relate 
our results to previous work in the field. Finally, we explore the set 
of security policies that are enforceable if the monitor is given greater 
latitude to alter the execution of its target, which allows us to reflect 
on the capabilities of different types of monitors. 


1 Introduction 

Runtime monitoring is an approach to enforcing security policies that seeks to 
allow untrusted code to run safely by observing its execution and reacting as 
needed to prevent a violation of a user-supplied security policy. This method 
of ensuring the security of code is rapidly gaining acceptance in practice and 
several implementations exist H7|. One question seems to recur frequently 
in multiple studies: exactly which set of properties are monitorable , in the 
sense that they are enforceable by monitors. Previous research has identi¬ 
fied several factors that can affect the set of security policies enforceable by 
monitors. These include the means at the disposal of monitors to react to 
a potential violation of the security policy [3j, the availability of statically 
gathered data about the target program’s possible executions M , memory 
and computability constraints [El E] etc. 

One specific aspect that can have a considerable impact on the monitor’s 
expressiveness is its ability to either suppress certain actions performed by 
the target program from occurring during the execution (while allowing the 
remainder of the execution to continue unaffected) or to insert additional 
events in an ongoing execution. These abilities, when available, extend the 
monitor’s enforcement power considerably. Indeed, a lower bound on the 
enforcement power of monitors is given by Schneider [25] who shows that the 
set of properties enforceable by a monitor whose only possible reaction to 
a potential violation of the desired security policy is to abort the execution 
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coincides with the set of safety properties. Conversely, Ligatti et al. [22] 
consider the case of a monitor with an unlimited ability to delay any event 
performed by the target program until it has ascertained that its occurrence 
in the execution would not violate the security policy. In effect, the monitor is 
simulating the execution of the program until it is certain that the behaviour 
it has so far witnessed is correct. When behaving in this manner, the monitor 
can enforce a vast range of security properties, termed the set of infinite 
renewal properties, which includes all safety policies, some liveness policies 
and some policies that are neither safety nor liveness. 

Yet, it may not be realistic to assume that the monitor has an unlimited 
ability to simulate the execution of the target program. Indeed, as Ligatti 
et al. [22] point out: U [0]ur model assumes that security automata have the 
same computational capabilities as the system that observes the monitor’s 
output. If an action violates this assumption by requiring an outside system 
in order to be executed, it cannot be feigned (i.e., suppressed) by the monitor. 
For example, it would be impossible for a monitor to feign sending email, wait 
for the target to receive a response to the email, test whether the target does 
something invalid with the response, and then decide to undo sending email in 
the first place. Here, the action for sending email has to be made observable 
to systems outside of the monitor’s control in order to be executed, so this 
is an unsuppressible action. [...] Similarly, a system may contain actions 
uninsertable by monitors because, for example, the monitors [...] lack access 
to secret keys that must be passed as parameters to the actions. In general, 
environmental factors beyond the control of the monitor may give rise to 
actions that are unsuppressible or uninsertable .” The set of infinite renewal 
should thus be seen as an upper bound to the enforcement power of monitors. 

To this end, Basin et al. propose a middle ground [2]. They partition the 
set of possible program actions in two disjoint subsets: a set of controllable 
actions, which the monitor may freely suppress from the execution, and a set 
of observable actions, whose occurrence the monitor can only observe. This 
allows for a more precise characterization to the set of monitorable properties. 
Section [2] will discuss these concepts in more detail. 

In Section [31 we further generalize this analysis by organizing the set 
of possible actions along a lattice that distinguishes between four types of 
atomic actions, namely controllable actions (which a monitor can insert or 
block from an execution), insertable actions (which a monitor can add to the 
execution but not suppress), suppressible actions (the converse) and observ¬ 
able actions (which the monitor can only observe). We then delineate the set 
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of properties that are enforceable under this paradigm and relate our results 
to previous work in the field. 

Finally, we explore in Section [4] the set of security policies that are en¬ 
forceable if the monitor is given greater latitude to alter the execution of its 
target, rather than be bounded to return a syntactically identical execution 
sequence if the original execution is valid. In particular, we consider a mon¬ 
itor which can add any action into the execution, but cannot prevent any 
action from occurring if the target program requests it. We also consider a 
monitor can remove potentially malicious actions performed by the target 
program but cannot add any action to the execution. We show how both 
can be handled by our model by simply considering a different equivalence 
relation between traces. 


2 Preliminaries 

2.1 Executions 

Executions are modelled as sequences of atomic actions taken from a finite 
or countably infinite set of actions £. The empty sequence is noted e, the set 
of all finite length sequences is noted £*, that of all infinite length sequences 
is noted £“, and the set of all possible sequences is noted £°° = S w U E*. 
Let r G £* and cr 6 E°° be two sequences of actions. We write t; o for the 
concatenation of r and cr. We say that r is a prefix of a noted r ■< o, or 
equivalently o ^ t iff there exists a sequence o' such that r; ex' = a. Let 
r, a G E°° be a sequence, we write acts (cr) for the set of actions present in 
a. We write resp(o) for the residual of P with regard to o, i.e. the set of 
sequence S C £°° s.t. Vt £ S : cr; r £ P. Finally, let r, o G E°°, r is said to 
be a suffix of a iff there exists a o' G E* such that cr = o '; r. 

Following [22], if o has already been quantified, we freely write Vr ■< o 
(resp. 3r -< o) as an abbreviation to Vr e £* : r V o (resp. 3r e £* : 
t V o). Likewise, if r has already been quantified, Vcr e E°° : o >z t (resp. 
3cr e E°° : o y t) can be abbreviated as Vcr ^ r (resp. 3cr >z r). 

Let r be a sequence and a be an action, we write r\a for the left cancella¬ 
tion of a from r, which is defined as the removal from r of the first occurrence 
of a. Formally: 
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r if a = a'; 

a; (r\a') otherwise 


Observe that e\a = e. Abusing the notation, we write t\t' to denote the 
sequence obtained by left cancellation of each action of r' from r. Formally, 
r\a; r' = (r\a)\r'. For example, abcada\daa = bca. 

A finite word r G E* is said to be a subword of a word cu, noted r a, iff 
T — • .Clfc and CU — with (Xq, cq, (X 2 ... G S* 

and t; G £°°. Let r, a be sequences form £*. We write cs T (cr) to denote the 
longest subword of r which is also a subword of a. For any r 7 ^ e, r.last 
denotes the last action of sequence r. 

2.2 Security Policies and Security Properties 

A security policy P is a property iff it can be characterized as a set of 
sequences for which there exists a decidable predicate P over the executions 
of S°° : -P(cr) iff a is in the policy [25]. In other words, a property is a policy 
for which the membership of any sequence can be determined by examining 
only the sequence itself Q], Such a sequence is said to be valid or to respect 
the property. Since, by definition, all policies enforceable by monitors are 
properties, P and P are used interchangeably in our context. Additionally, 
since the properties of interest represent subsets of S°°, we follow the common 
usage in the literature and freely use P to refer to these sets. 

A number of classes of properties have been defined in the literature and 
are of special interest in the study of monitoring. First are safety properties 
[2D], which proscribe the occurrence of a certain “bad thing” during the 
execution. Formally, let E be a set of actions and P be a property. P is a 
safety property iff 


Vcr G E°° : -nP(a) => 3a' A a : Vr h <r' : --P(r) 


(safety) 


Informally, this states that any sequence does not respect the security 
property if there exists a prefix of that sequence from which any possible 
extension does not respect the security policy. This implies that a violation 
of a safety property is irremediable: once a violation occurs, nothing can be 
done to correct the situation. 

1 Security policies whose enforcement necessitates the examination of multiples execu¬ 
tion sequences, such as noninterference policies, are not generally enforceable by monitors. 
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Alternatively, a liveness property [T] is a property prescribing that a cer¬ 
tain “good thing” must occur in any valid execution. Formally, for an action 
set T and a property P, P is a liveness property iff 

Vcr G £* : 3r G £°° : r P a A P(r) (liveness) 

Informally, the definition states that a property is a liveness property if 
any finite sequence can be extended into a valid sequence. 

Another class of security properties that are of interest is that of renewal 
properties[22j. A property is in renewal if every infinite valid sequence has 
infinitely many valid prefixes, while every infinite invalid sequence has only 
finitely many such prefixes. Observe that every property over finite sequences 
is in infinite renewal. The set of renewal properties is equivalent to the set 
of response properties in the safety-progress classification ra. 

VP C TP : P(a) 3a' p a : 3 t P u : t P a' A P(t). (renewal) 

It is often useful to restrict our analysis to properties for which the empty 
sequence e is valid. Such properties are said to be reasonable [22] , Formally, 

VP C £°° : P(e) <=> P is reasonable (reasonable) 

In the remainder of this paper, we will only consider reasonable proper¬ 
ties. Furthermore, in order to avoid having the main topic of this paper be 
sidestepped by decidability issues, will consider that P(cr) is decidable for all 
properties and all execution sequences. Likewise, we also consider that other 
predicates or functions over sequences are decidable. 

2.3 Security Property Enforcement 

Finally, we need to provide a definition of what it means to “enforce” a 
security property P. A number of possible definitions have been suggested. 
The most widely used is effective^ enforcement [3j. Under this definition, a 
property is effectively^ enforced iff the following two criterion are respected. 

1. Soundness: All observable behaviours of the target program respect 
the desired property, i.e. every output sequence is present in the set of 
executions defined by P. 
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2. Transparency: The semantics of valid executions is preserved, i.e. if 
the execution of the unmonitored program already respects the security 
property, the monitor must output an equivalent sequence, with respect 
to an equivalence relation =C £°° x E°°. 

Syntactic equality is the most straightforward equivalence relation, and 
the one that has been the most studied in the literature. It models the be¬ 
haviour of a monitor that enforces the desired property by suppressing (or 
simulating) part of the execution, only allowing it to be output when it has 
ascertained that the execution up to that point is valid. In section [I] we 
consider two alternative notions of equivalences, which can be used to char¬ 
acterize alternative behaviours on the part of the enforcement mechanism. 

2.4 Related Work 

Initial work on the question of delineating which security policies are or are 
not enforceable by monitor was performed by Schneider [25] . He considered 
the capabilities of a monitor that observes the execution of its target, with no 
knowledge of its possible future behaviour and no means to affect the target 
except by aborting the execution. Each time the target program attempts to 
perform an action, the monitor has to either accept it immediately, or abort 
the execution. Under these constraints, the set of properties enforceable by 
monitors coincides with the set of safety properties. 

Ligatti et al. [21] extend Schneider’s modelling of monitors along three 
axes: 

1. According to the means at the disposal of the monitor to react to a 
potential violation of the security policy. These include truncating the 
execution, inserting new actions into the execution, suppressing some 
part of the executions or both inserting and suppressing actions 

2 . According to the availability of statically gathered data describing the 
target program possible execution paths 

3. According to how much latitude the monitor is given to alter executions 
that already respect the security policy. 

By combining these three criteria, they build a rich taxonomy of enforceable 
properties, and contrast the enforcement power of different types of monitors. 
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Basin et al. [2] generalize Schneider’s model by distinguishing between 
observable actions, whose occurrence the monitor cannot prevent, and con¬ 
trollable actions, which the monitor can prevent from occurring by aborting 
the execution. 

The enforcement power of monitor operating with memory constraints is 
studied in Rj , [20, [27, 2Bj and [4]. 

The computability constraints that can further restrict a monitor’s en¬ 
forcement power are discussed in [H, [T 0 j ; that of monitors relying upon an a 
priori model of the program’s possible behaviour is discussed in pj and [ 2 Tj . 

Falcone et al. mm show that the set of infinite renewal properties 
coincides with the union of four of the 6 classes of the safety-progress classi¬ 
fication of security properties M- Khoury and Tawbi [13 IS] and Bielova et 
al. 0 [5, ; 6 j further refine the notion of enforcement by suggesting alternative 
definitions of enforcement. In |23j Ligatti and Reddy introduced an alter¬ 
native model, the mandatory-result automaton. This model distinguishes 
between the action set of the target and that of the system with which it 
interacts. This distinction makes it easier to study the interaction between 
the target program, the monitor and the system. A thorough survey of the 
question of enforceable properties by monitors is provided in mi- 

3 Monitoring With Partial Control 

The previous works each consider monitors where actions belong to partic¬ 
ular sets. For example, Schneider’s model assumes that all actions can be 
suppressed by the monitor; conversely, Ligatti et al. assume that all actions 
can be indefinitely delayed. Basin et al. propose a middle ground where ev¬ 
ery action can either be freely suppressed, or can only be observed. In this 
section, we define a generalized model of actions where each of these works 
becomes a particular case. We then study what properties are enforceable in 
this generalized model. 

3.1 A Lattice of Actions 

We organize the set of possible actions along a lattice that distinguishes 
between four types of atomic actions : namely controllable actions (C), in- 
sertable actions (X), suppressible actions (V —for delete) and observable 
actions ( O ), as is shown in Figure [0 
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Figure 1: The lattice of possible actions 

• Controllable actions (C) are the basic actions such as opening a hie 
or sending data on the network, which the monitor can either insert 
into the execution or prevent from occurring if they violate the security 
policy. In Ligatti’s model, all actions are controllable. 

• Insertable actions (X) can be added into the execution but not sup¬ 
pressed if they are present. An example of an insertable action is an 
additional delay before processing a request to bring it unto compliance 
with a resource usage policy. The monitor may add such actions to the 
execution sequence but cannot remove them if the target program ex¬ 
ecutes them. 

• Suppressible actions (V —for delete) are those actions that the monitor 
can prevent from occurring, but cannot insert in the execution if the 
target program does not request them. Sending an email, decrypting 
a hie or receiving a user input are all examples of suppressible actions. 
In Schneider’s model, all actions are suppressible. 

• Observable actions O can only be observed by the monitor, which can 
neither insert them in the execution when they are not present nor 
suppress them if they occur. In Basin et al.’s model, all actions are 
either suppressible or observable. 

As the examples above illustrate, we believe that the lattice model we pro¬ 
pose is a more realistic description of the reality encountered by the monitor, 
and will thus allow a more precise characterization of the set of enforceable 
properties. Observe than the monitor may only abort the execution if the 
next action is in CUD. Moreover, the sets O are disjoint and that 

the universe of possible program actions is£ = CUZUZ , UCh 

The following notation is useful for comparing different enforcement mech¬ 
anisms. Let S be a universe of actions and let £ be a lattice over the set 
£ as described in section 2. Let S C £°° stand for a subset of possible 
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execution sequences and let =C £°° x E°° be an equivalence relation. We 
write /^-enforceable^ to denote the set of proprieties that are enforceable^ 
by a monitor when the set of possible sequences is S and the set of possible 
actions is organized alongside lattice £. 

Let £ be a lattice as described above. We write Co (resp. £j, £©, Cc) for 
the set O (resp. 1, V, C ) in £. We write £ = (E l5 £ 2 , £ 3 , £ 4 ) for the lattice 
where Cq = £ 1 , £j = E 2 , £r> = £3 and Cc = £ 4 . Let A, B G {0,1,V,C} 
and let a G £, we write £ . « to indicate the lattice C! defined such that 
C' A = C A \{a},C' B = C B U {a} and VC G {0,1, V,C} ■ C £ {A, B} =* 
C!c = £c- I 11 other words, £ is the lattice built by moving only element 
a from set A to another B, leaving all other sets unchanged. 

3.2 Enforceable Properties 

We begin by reflecting on the set of properties that are £ s °°-enforceable = , 
i.e. properties that are enforceable if the monitor is bounded to output any 
valid sequence exactly as it occurs (with syntactic equality as the equivalence 
relation between valid inputs and the monitor’s output). This is the enforce¬ 
ment paradigm that has been the most studied in the literature. A monitor 
that seeks to enforce a property in this manner may take any one of three 
strategies, depending on the desired property and the ongoing execution, 
and the set of £ s °°-enforceable = properties can be derived by combining the 
three. 

First, using a model in which every action is controllable, Ligatti et al. 
argued that a monitor can enforce any reasonable renewal property by sup¬ 
pressing the execution until a valid prefix is reached at which point the mon¬ 
itor can output the suffix of the execution it has previously suppressed. We 
generalized the definition of renewal as follows: 

Vcr G £°° : .P(cr) Va' ^ a : (3r P(r) A 

Vt' ^ r : t' >z o' =>■ r'.last G C). (£-Renewal) 

Observe that the definition now applies to all sequences in E°°, rather 
than just to infinite sequences. The second half of the equation always eval¬ 
uates to true if all the actions are controllable (Ligatti’s model) and always 
evaluates to false if all the actions are suppressible or observable (Schneider 
or Basin’s models). 
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Second, Ligatti et al. observe that a property is enforceable if there exists 
a prefix beyond which there is only one valid extension. In that case, the 
monitor can abort the execution and output that sequence. This allows some 
nonsafety properties to be monitored. Ligatti et al. refer to this case as the 
“corner case” of effective enforcement. We generalize this case as follows: 

Vcr G £°° : P(<j) V 3a' ■< a : Vcr'; r >z o' : P(cr'\ r) =>• a';r — a A 

a 1 . last G V U C A acts(r ) C X U C. (£-Corner case) 

Once again, observe that the equation restricts all sequences, rather than 
only infinite ones. This equation always evaluates to false in the Schneider- 
Basin model and the second conjunct always evaluates to true in Ligatti’s 
model. 

Finally, the monitor can simply abort the execution if it is irremedia¬ 
bly invalid. This is a generalization of the set of safety properties to our 
framework. 

Vcr G £°° : ^P(cr) =* 3r; a ■< a : P{r) AoGDUC 

A -i 3t' y t : P(P)- (T-Safety) 

The set of £ s °°-enforceable = properties can now be stated. The definition 
is not simply the conjunction of the tree preceding set as it must take into 
account the possibility that enforcement might begin by suppressing and 
reinserting part of the execution, and then abort the execution using of one 
of the other methods. 

Theorem 1. 

P G jC^ x — enforceable = AA Vcr G S°° : 

(P(cr) Vcr' ■< a : 3r ■< a : a' < tA-P(t)A(Vt' ■< r : -> P(r') =>• r'.last G C)V 
(3r; a V a : a G DUCAVt' -< r; a : ->P(t') =>• t'. last G CA(Vr' >z r; a : P(t') =>• 
t' = a V (.P(t) A -iBr 7 h t : T > ('r / ) A acts(a\r a) GCU /)))) 

Proof. See Appendix A for all proofs to theorems and corollaries. □ 

This definition narrows the set of monitorable properties somewhat, com¬ 
pared with previous work. For example, bounded availability is given in [22] 
as an example of a monitorable policy. In fact, it is monitorable only if every 
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action that occurs between the acquisition and release of a protected re¬ 
source is controllable. Likewise, the “no send after read ” property described 
in [25] is only enforceable if every action which might violate the property is 
deletable or controllable. 

While the set-theoretic characterization of enforceable property is some¬ 
what involved, an LTL property can characterize such properties. 

Theorem 2. Let valid be a predicate identifying a valid sequence: 

valid(a) P(c r) 

Let cc be a predicate that identifies a sequence in the C-corner case: 

cc(cr) P(cr) A 3cr' -< a : Vcr 7 ; r P ct' : P(cr / ; r) 

cr'; r = cr A a .last G V U C A acts{r ) ClU C 

Let C be a predicate identifying a sequence ending on a controllable action, 

and D a predicate that identifies a sequence ending on a deletable action: 

C{a) cr.last G C 

D(a) cr.last G V 


Then we have: 

P G -enforceable = <^> Vcr G S°° : 

G(CW valid) V (C W valid VX((LVC') A {G^validV cc))) 

In this theorem, we assume that any execution sequence from S°° is 
possible. In other words, at each step of the execution, the monitor must 
assume that any action from E is a possible next action, or that the execution 
of the target program could stop. This is called the uniform enforcement 
context. The monitor often operates in a context where it knows that certain 
executions are impossible (the nonuniform context). This situation occurs 
when the monitor benefits from a static analysis of its target, that provides 
it with a model of the target’s possible behaviour. We can adapt the above 
theorem to take into account the fact that the monitor could operate in a 
nonuniform context. 
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Theorem 3. 


P G jC s - enforceable= <^> Va G 5 : 

(P(cr) Vcr' < a \ 3 t < a \ a' < t A P(t) A (Vr' < r : ->P( r 0 =» 

(t 1 .last E C At E d>))V 

(3r; a^(T:aGDUCA Vr' ^ t; a : (-iP(r') A r' E S) =>■ t' .last E CA 
(Vt' P r; a : P(r') r 7 = a V (P( r ) A -Gt' P r : 

P(r ; ) At' E S A acts{a\r y ; a) E C U X)))) 

We can now restate the results of previous research in our new formalism. 

Theorem 4. (from IfFfj ) If C = (0,0, X, 0) then £ s °° enforceable = is Safety. 

Theorem 5. (from '(22 () If C = (0, 0, 0, X) then CF° enforceable = is the 
union of Infinite Renewal and the corner case. 

3.3 Additional Results 

Corollary 1. Let C be a lattice over a set of actions X as described above 
and let Xi,X 2 G {0,V,X,C} and Xi C X 2 . Va G X : L^ 1 -enforceable = 
C £ a -enforceable. 

2Jl— 71^2 

Corollary [T| indicates that the set of enforceable properties increases mono- 
tonically with the capabilities of the monitor. Thus, any effort made to im¬ 
prove the capabilities of the monitor to control its target is rewarded by a 
augmented set of enforceable security properties. Conversely, if every action 
from the set X is in O , only the inviolable property is enforceable. 

Corollary 2. Let C = (X, 0, 0, 0), P E enforceable AA P = X°°. 

4 Alternative Equivalence Relations 

The above results apply only to the case of effective= enforcement. This 
corresponds to the enforcement power of a monitor that sometimes delays 
the occurrence of actions in its target, or abort its execution, but does not add 
additional actions or permanently suppress part of the execution sequence, 
allowing the remainder of the execution to continue. Syntactic equality (and 
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subclasses of that relation) is the only equivalence relation that has been 
extensively studied in the literature. This naturally does not exhaust the 
enforcement capabilities of monitors. In this section, we explore alternative 
equivalence relations (that characterize alternative enforcement mechanisms) 
and determine the set of enforceable properties for each. 

4.1 Subword Equivalence and Insertion enforcement 

The first alternative equivalence relation that we examine is subword equiv¬ 
alence, noted =<,. This corresponds to the enforcement power of a monitor 
which can add any action into the execution, but cannot prevent any action 
from occurring if the target program requests it. For example, the monitor 
can enforce a property stating that any opened hie is eventually closed by 
adding the missing close hie action before the end of the program’s execution. 
This model is interesting to understand the capabilities of certain types of 
inline monitors, that are injected into the program in the form of guards or 
run in parallel with their target, such as those based upon the aspect-oriented 
programming paradigm [18], (8, 2S\ ■ 

Let cr, cr', r G £*, we write o T =<, o' (cr t A o' r), and designate 
by enforceable^ the set of properties that are enforceable when T =<, o' is 
the equivalence relation and r is the original input. This is a very permissive 
equivalence relation, which in effect allows the monitor to insert any action or 
actions into the execution, and consider the transformed execution equivalent 
to the original execution (r) if all actions performed by the target program 
are still present. While this equivalence relation may be too permissive to 
be realistic, it does allow us to deduce an upper bound to the set of policies 
enforceable under this paradigm. 

We begin by considering the cases that occur when the monitor has only 
limited control over the action set. When the monitor can only suppress 
actions or abort the execution, the set of enforceable^ properties coincides 
with that of safety properties, since the the monitor is unable to take advan¬ 
tage of the permissiveness of the equivalence relation. 

Theorem 6. Let C = (0, 0, £,0). £ s °° -enforceable^ is the set of safety 
properties. 

Another interesting case occurs when the monitor cannot delay the occur¬ 
rence of the actions present in the execution sequence, but can only react to 
them by inserting additional actions afterwards. In other words, any action 
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output by the target program must be immediately accepted, but can be 
followed by other actions inserted by the monitor. An intuitive lower bound 
to the set of enforceable properties in this context is the intersection of re¬ 
newal properties and liveness properties. That is, properties for which any 
invalid sequence can be corrected into a valid sequence with a finite number 
of corrective steps. Additionally, some safety properties and some persistence 
properties are also enforceable. For example, the property P_, aa imposing that 
no two ‘a’ actions occur consecutively is a safety property since an invalid 
sequence cannot be corrected by the insertion of any subsequent actions. 
However, the policy is £ soc -enforceable^ since the monitor can insert any 
action other than ’a’ after the occurrence of each ‘a’ action to ensure the 
respect of the security property. What characterizes properties outside the 
intersection of renewal and liveness that are nonetheless £ s °°-enforceable^ < 
is that there exists a property P' in renewal fl liveness such that the property 
of interest includes P'. In the case of the example above, the property “any 
a action is immediately followed by some action different from a (or the end 
of sequence token)” is a renewal property included in P-, aa - The monitor can 
enforce the property P_, aa by enforcing P'. 

Theorem 7. Let P C P(S°°) and let £ = (0, E, 0, 0). If the monitor cannot 
delay the occurrence of actions performed by the target program, then P G 
£^°° -enforceable^ <=>• 3 P' : P' C P and P' is infinite renewal fl liveness. 

Allowing the monitor to insert a finite number of actions before or after 
an action taken by the target program increases the set of enforceable prop¬ 
erties further. Consider for example the property P os stating that a write 
action only be performed on a previously opened hie. The property is a safety 
property, and falls outside the set of P G £ s °°-enforceable^ properties de¬ 
fined in theorem |7j if the number of hies is infinite. The property can be 
£ s °°-enforced^ by a monitor that inserts the corresponding open hie action 
anytime the target program attempts to write to a hie that has not yet been 
opened. More generally, if all actions are in the set C, then a property P 
is enforceable iff there exists a property P' C P, s.t. P' is in renewal and 
Liveness and for any action a G E, and for any sequence a in P', there is a 
sequence r in the residual of P' with regard to a s.t. a G acts (a). In other 
words, if for any sequence in the subproperty P' and for any possible action a, 
there is a continuation r s.t. r contains a. The monitor can £ s °°-enforces^ 
such a property by appending a sequence from the residual containing any 
action requested by the target program. 
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Theorem 8. Let £ = (0, E, 0, 0(. £ E °° -enforceable^ iff there exists a prop¬ 
erty P'CPn Liveness D Renewal : Vcr e P' : 1J acts(a') = £. 

a'&resp, (cr) 

The upper bound naturally occurs when all actions are controllable. We 
found it harder to give a specific upper bound to the set of enforceable^ 
properties. Indeed, this set seems to include almost every properties, with the 
exception of a number of hard to define special cases. Observe that because 
the subword relation is reflexive, a monitor that enforces = the property also 
enforces^ it. This equivalence relation is so permissive that only a few very 
particular cases seem unenforceable. 

Observe that while this result indicates that the security properties that 
are £ s °°-enforceable^ are largely the same as those that are £ s °°-enforceable = , 
the manner of enforcement is quite different. £ E °°-enforcement guarantees 
that any valid sequence is output as is, without any modification by the mon¬ 
itor. For invalid sequences, £ E °°-enforceable^ ensures that the longest valid 
prefix is always output [5j. £ s °°-enforcement^ does not provide these guar¬ 
antees. Instead, as seen above, for non-safety properties £ E °°-enforcement*^ 
can ensure that any action present in the original program is eventually out¬ 
put, whether the execution sequence is valid or not. £ E °°-enforcement*^ 
also evidently has a much reduced memory overhead, since this enforcement 
paradigm does not impose on the monitor that it keep in memory an in¬ 
definitely long segment of the execution trace, as £ s °°-enforcement = does. 
Since memory constraints were showed in [[13] to significantly affect the set 
of enforceable properties it is certain that once such constraints are taken 
into account, some properties will be found to be £ s °°-enforceable^ but not 

£ E ^-enforceable^ 

4.2 Suppression Enforcement 

Another interesting enforcement paradigm is suppression enforcement [3], 
which occurs when the monitor can remove potentially malicious actions 
performed by the target program but cannot add any action to the execution. 
In that case, the monitor’s enforcement is bounded by the reverse subword 
equivalence, meaning that the monitor’s output is a subword of the original 
sequence. This enforcement paradigm is similar to the one described in |2TJ, 
where the monitor is interposed between the target program and the system. 
Any action requested by the target program is intercepted by the monitor 
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which must accept or reject it, and allows us to pose an upper bound to this 
enforcement paradigm. 

Let a, a', r £ £*,we write cr T => ex' (r<sa Ar<sa / ). As was the case in 
section HU this is a very permissive equivalence relation, which characterizes 
the behaviour of a monitor that can potentially suppress any action or actions 
from the execution. We write =,> for this equivalence relation where r is the 
original input. 

We begin by determining an upper bound to the set, which occurs when 
every action is suppressible. In that case, every reasonable property is en¬ 
forceable, simply by always outputting the empty sequence (or possibly the 
longest valid prefix). While this may not be a particularly useful enforcement, 
it does however serve as a useful upper bound to begin reflecting about the 
capabilities of different types of monitors. It also argues for a stronger no¬ 
tion of transparency, as discussed in[T6]. which allows us to reason about the 
capabilities of monitor in a context that is more similar to that of a real-life 
monitor. Such monitors would normally be bounded with respect to the al¬ 
terations that they are allowed to performed on valid and invalid executions 
alike. 

Theorem 9. If C = (0,0, 2,0) then £ s °° -enforceable^ = V(E°°). 

Corollary 3. Let C = (0,0, E ,0). Va £ Cv '■ £ s °° -enforceable^ = - 

enforceable 

Corollary 4. Let C = (0,0, E, 0). VS C S°° : £ s °° -enforceable^ = - 

enforceable . 

A more interesting characterization occurs when we consider that some 
subset of S is unsuppressible. These may be actions that the monitor lacks 
the ability to suppress (such as internal system computations) or actions that 
cannot be deleted without affecting the functionality of the target program. 
When that is the case, a property is enforceable iff every invalid sequence 
has a valid prefix ending on an action in T>. In that case, the property of 
interest includes a safety property that can be enforced by truncation. 

Theorem 10. If C = (0,0, V,0) thenVa £ S°° : P(a) £ -enforceable^ 
3 P' C P : P' £ C-safety. 
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5 Conclusion 


In this paper, we reexamined the delimitation of enforceable properties by 
monitors, and proposed a finer characterization that distinguishes between 
actions that are only observable, actions which the monitor can delete but 
not insert into the execution, actions which the monitor can insert in the 
execution but not suppress if they are already present and completely con¬ 
trollable actions. Our study is a generalization of previous work on the same 
topic, and provides a hirer characterization of the set of security properties 
that are enforceable by monitors in different contexts. 

Additionally, we explored the set of properties that are enforceable by 
the monitor is given broader latitude to transform valid sequences, rather 
than be bounded to return a syntactically identical execution sequence if the 
original execution is valid. We argue that our results point to the need for 
an alternative definition of enforcement. 

Part of the reason the sets of £ L °°— enforceable^ and —enforceable^ 

properties are so large is that, in the definition of effective^ enforcement, the 
transparency requirement is so weak. This leads to monitors with unusu¬ 
ally broad licence to alter invalid sequences in order to correct them. For 
monitors with broad capabilities to add and remove actions from the execu¬ 
tion sequence, the desired behaviour of real-life security policy enforcement 
mechanism would be more accurately characterized by a more constrain¬ 
ing definition of enforcement. For example, a practical suppression monitor 
should be bounded to remove from an invalid execution sequence only those 
actions that violate the security policy. Any valid behaviour present in an 
otherwise invalid sequence should be preserved. 

In the future, we would like to consider that the cost of inserting or 
deleting an action may not be the same for all actions. This would allow us 
to contrast different enforcement strategies for the same security property. 
A lattice-based framework is well-suited to model such a restriction. 
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A Proofs 

Theorem 1. 


P G jC s °° — enforceable = Vu G £°° : 

(P(cr) Vcr' A <7 : 3r A <x : cr' A tAP(t)A(Vt' A r : ->P(' ^, ) =>• r'.last G C)V 
(3r; a P a : a E (X>UC)AVt' A r; a : —>P(r') =>• t'. last G CA(Vt' A r; a : P(t') =>• 
t' — a V (P(t) A -'3t / A r : P(r') A acts(a\r' ; a) G (CU /))))) 


Proof, (if direction) We construct an edit-automaton *4. = (Q,qo,S) that 
effectively= enforces the property P. This automata is defined as follows: 


• Q = E* x S*, i.e., each state consists in a pair of finite sequences, the 
sequence output so far and the suffix of the input currently suppressed. 

• go = (e,e), 


the transition function 5 : Q x E x Q is defined as 

{ ((To, (T s ; a), if -iP(<7 0 ; a s ; a) A 7 (a„; a s ; a) = _L 

(cr 0 ;a s ;a,e), P(a 0 ;a s ;a) 

(cr 0 ; a', e), ^P(< 7 0 ; a) A 7 (a 0 ; a s ; a) = a'. 

where 7 : E* x E U 1 is a function defined as follows 

/ \ r a, 3 a; r G S°° : Vcr' A a : Pa' Aff' = a;rA acts(r ) G {X, C}; 

1 \ _L, otherwise. 

Informally, this transition function states that the monitor suppresses 
the execution until a valid prefix is encountered, at which point it out¬ 
puts the suffix of the execution it has suppressed so far. Function 7 
detects the occurrence of the corner case described above. 


Let a G S°° be the input sequence and let cr{..i ] be the prefix of the input 
sequence processed at step i, and let g = (a*, a*) be the state of A reached 
after processing a[..i\. The automaton maintains the following invariants. 
At step i, (1) a 0 has been output and this output is valid, (2) the output is 
transparent, i.e. a[..i] G P =>■ a[..i\ G o V 3 o' A a : Vcr'; r A o' : P(cr'; r) => 
cr'; r = u (3)7(cr[..i]) = _L cr[..i] = u*; < 7 * and (4) the automaton A never 
manipulates and action in a disallowed manner. The third invariant ensures 
that the automata does not, for instance, suppress an unsuppressiblc action, 
or abort the execution on an observable action. 
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The invariants hold initially since cr [. .0] = e and the automaton is in state 
(e, e). Let us assume that INV(i) holds and let a be the next input action. 
We show that INV(i+l) holds where cp + i = cr[..l];a. 

There are three cases to consider. 


1. a is invalid, and there are multiple valid extensions. In this case 
the automaton suppresses the input sequence. The automaton enters 
state (cr* +1 , cr* +1 ) where cr* +1 = cr* and cr* +1 = cr*;a. That cr* +1 G 
P holds from the induction hypothesis. Likewise, the transparency 
requirement holds trivially since ->P(a[..i]' 1 a). The first conjunct of 
theorem [Tj ensures that a is controllable. 

2. P(cr[..i]; a). In this case the automaton outputs cd; a. By induction 
we have that cr*;cr*;a = cr[.i];a and thus P(cr* +1 ;). cr* = e;, which 
means the third part of the invariant holds trivially. Finally, since for 
in previous states, an action could only have been suppressed if it was 
controllable, we have that every action in cr* is controllable. 

3. cr[.i];a has a single valid extension. This includes the case where the 
only valid extension is e and the execution is aborted. In this case the 
automaton enters a loop in which it outputs the actions of the only 
valid extension one by one. By the theorem |T] we have that the output 
of the monitor is valid and insertable or controlable. Such an action 
in known to exist by the final conjunct of the theorem [1] INV(i+l)(3) 
holds trivially since 7 (cr[..z]) ^ _L. 

Since the invariant INV holds at each step, the output is valid, trans¬ 
parent and the monitor does not behave in a manner inconsistent with the 
limitations on its capabilities. 

(else-if direction) 

By negation of theorem [H we have that a property is unenforceable iff it 
contains at least one valid sequence cr meeting the following two properties 


1. 3cr' -< a : -iP(cr') A a' .last ^ C 

2. 3cr' P a : 3r G Property \ t P a’ A r ^ a V 3a G acts(r ) : (lUC) 
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Informally, the property is unenforceable iff there exists a valid sequence with 
an invalid prefix that is not in the controllable set, that that valid sequence 
either is not in the corner case described in section 3 or is not comprised 
of insertable of controllable actions. When the monitor encounters such a 
prefix, it cannot accept it since it may be the end of an invalid sequence, but 
it cannot suppress it since, the input may have a valid continuation, which 
the monitor would be unable to re-insert. □ 

Theorem 4. (from f2B() If C = (0, 0, E, 0) then £ s °° enf'orceable= is Safety. 

Proof. P G £ s °°-enforceable = yy Va G E°° : 

(P(<cr) yy Va' p a : 3r p a : a' p r A P(r) A (VP p r : -iP(r') =y r’.last G 
C) V 

(3t; a ^ a : a E (D U C) A VP p r; a : -iP(P) =y P .last G C A 
(VP p r; a : P(P) => P = a V (P(r) A ->3P p r : P(P))))) 


(Va G E : a G V) 


P G £ E °°-enforceable = yy Va G E°° : 

(P(a) yy Va' pa:3rpa:a' prA P(r) A (VP p r : P(r) V 

(3t; a pa: VP p r; a : ->P(P) =y _L A 

(VP p r; a : P(P) =y P = a V (P(r) A ->3P p r : P(P))))) 


(lAd = l) 


P G £ EC °-enforceable= yy Va G E°° : 

(P(a) yy Va' pa:3rpa:a'prA (VP p r : P(r) V 
(3t; a p a : VP p r; a : P(P) 

V (P(r) A ->3P p r : P(P))))) 

P G £ E °°-enforceable = yy Va G E°° : 

(P(a) yy Va' p a : P(a))) 


( dehnition of Safety ) 

P G £ EC °-enforceable= yy P G safety 

□ 

Theorem 5. ((/rum J2^f) If C = (0,0,0, E) then £ EOC enforceable^ is Infinite 
Renewal or the corner case. 
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Proof. P E ^“-enforceable^ Vcr G E°° : 

(P(cr) VP pcr:3Tpcr:PpTA P(r) A (VP p r : -P(P) =>• r' .last E 
C) V 

(3t; a P cr : a E (D UC) A VP p r; a : ->P(P) =>• r'.last E C A 
(VP A r; a : P(P) =>■ P = a V (P(r) A -<3P p r : P(P))))) 


(Va G S : a G C) 


P G £ s “-enforceable= <^V(T G £°° : 

(P(cr) VP pcr:3Tpcr:PprA P(r) A T) V 

(3t; a p <t : VP p r; a : -P(P) A 

(VP p r; a : P(P) =>• P = cr V (P(r) A -i3P p r : P(P))))) 


(T A A = A) 


P G £ s “-enforceable = Vcr G E°° : 

(P(cr) VP pa:3rpa:PprA P(r)) V 
(3r; a p a : VP p r; a : 

(VP p r; a : P(P) =>• P = cr V (P(r) A -<3P p r : P(P))))) 

(Va G E°° : P(cr) (VP pcr:3rpcr:PprA P(r)) =>• 3r; a pa: 
VP p r; a : -P(P) =>• (P(r) A ->3P p r : P(P))) 

P G £ s “-enforceable= Va G £°° : 

(P(a) VP pcr:3rpcr:PprA P(r)) V 
(3r; a p cr : VP p r; a : 

(VP p r; a : P(P) =>• P = cr))) 


( definition of renewal and of the corner case ) 


P G £ s “-enforceable= ^>Fg renewal or the corner case 

□ 


Corollary 1. Let £ be a lattice over a set of actions £ as described above 
and let £i,£ 2 £ {0,P,X,C} and Ej jZ S 2 . Va G E : £^ 1 -enforceable = 
C £ a -enforceable. 

2j1—TZ]2 


Proof. Any property that is £ Sl -enforceable is trivially £ 

Xii t 2j2 


-enforceable. 
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: a 


Let Ei = O and S 2 G {X, £}. The property P(cr) 3r 6 E°° 
a; tau, which states that any valid execution must begin with a distinguished 
action a is not £ni-enforceable since the monitor cannot correct an invalid 
sequence by adding the missing initial action. It is £ s -enforceable. 

Let Ex = D and E 2 = C. The property P(cr) <=> a = aa is not C^- 
enforceable since when faced with a single a, the monitor can neither sup¬ 
press it (which would make it impossible to return a valid syntactically equal 
sequence if the next action is also a), nor output it, since the execution 
would be then be irremediably invalid in all other cases. The property is 
£ a -enforceable. 


Let Ei = O and E 2 = V or Ex = X and E 2 = C. The property P{cr) <=> 
a ^ acts (a) is not ^j-enforceable since the monitor lacks the ability to 
suppress invalid a actions. It is £^ _a^ v -enforceable by simple suppression 
of these actions. □ 


Corollary 2. Let £ = (E, 0, 0, 0), P G £ s - enforceable P = E°°. 

Proof. Corollary [2] follows immediately from Theorem [Q □ 

Theorem 6. Let £ = (0,0, E,0). -enforceable^ is the set of safety 
properties. 

Proof. Trivial. Since the monitor lacks the ability to insert any action into 
the execution, it behaves like a suppression automaton |3], The equivalence 
relation imposes that any action present in the input must also be present 
in the output. Since the monitor can only allow an action or terminate the 
execution, any enforceable property is necessarily prefix closed. □ 

Theorem 7. Let P C V(YL°) and let C = (0, E, 0, 0). If the monitor cannot 
delay the occurrence of actions performed by the target program, then P G 
-enforceable^ 3 P' : P' C P and P' is infinite renewal D liveness. 

Proof, (if direction) Let X” be property in Renewal fl Liveness s.t. P’CP 
and let £ = (0, E, 0, 0). A monitor can ££°°-enforce X” as follows: let r G E* 
be the current output so far and let a G E be the next program action in 
the execution. Since X” is in Renewal fl Liveness there necessarily exists a 
finite sequence r' G cr* s.t. r; a; r' G P', and the monitor can £|T -enforce X” 
by outputting this sequence. Since X” C P, the monitor’s output is correct 
w.r.t. P and since r; a; r' a the output is transparent. 


25 


(else-if direction) A P not in the intersection of Renewal fl Liveness can be 
safety properties or persistence properties. Safety properties are properties 
for which a violation of the security policy is irremediable. As such, no 
suffix can be added by the monitor to the invalid sequence to correct it, thus 
£ IT-enforcing the property. Likewise, persistence properties include infinite 
invalid sequence with infinitely many valid prefixes, and infinite valid prefixes 
with only finitely many valid prefixes. In the former case, the monitor cannot 
enforce the property because even though its output will continuously be 
valid, the overall execution will violate the property. In the latter case, the 
monitor will eventually reach a finite execution a which has no finite valid 
extension. If the monitor outputs a valid infinite extension, subsequent action 
output by the program will not be present in the monitor’s output, violating 
the transparency requirement. Since there does not exists a property P C 
P s.t. P’ is in Renewal fl Liveness, the monitor cannot avoid reaching one 
of the three cases described above. □ 

Theorem 8. Let £ = (0, E, 0, 0). £ s °° -enforceable^ iff there exists a prop¬ 
erty P'CPn Liveness fl Renewal : Vcr G P' : (J acts(a') = £. 

a’&res p,{o) 

Proof, (if direction) Let P and P’ be a properties as described above. Let 
a G £* be the input sequence so far and let a G £ be the next program action 
in the execution. By definition, there exists a sequence r s.t. a ; r G P' (sat¬ 
isfying correctness since P’ C P) and a G acts{r) (satisfying transparency), 
(else-if direction) If the condition above does no hold, then by definition there 
exists a sequence r G E* such that r and an action a G £ such that r has no 
valid finite extension containing a. This makes it impossible to enforce for a 
monitor to enforce the property in a correct and transparent manner if r is 
the input sequence. □ 

Theorem 9. If £ = (0,0, E,0) then £ s °° -enforceable^ = P(E°°). 

Proof. Since the empty sequence e is always valid, and equivalent to every 
possible sequence, the monitor can £ s °°-enforce^ any property by always 
outputting that sequence. □ 

Corollary 3. Let £ = (0,0, E,0). Va G £d : £ s °° -enforceable^ = £^_a^ c " 
enforceable 

Proof. Immediate from theorem [9j □ 
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Corollary 4. Let C = (0,0, E, 0). VS C S°° : £ s °°-enforceable 
enforceable. 

Proof. Immediate from theorem 0 


= £ E °° 


□ 

Theorem 10. If C = ((9,0,11,0) thenVa G S°° : P(cr) G £ s °° -enforceable ^ 
3P' C P : P' G C-safety. 

Proof, (if direction)The property P can be enforced by enforcing the property 
P' C P. Since P’ is a safety property, it can be enforced by truncation. 
Since P’ is a subset of P, enforcing P’ satisfy the correctness requirement for 
P. Enforcing the property by truncation guarantees that the transparency 
requirement is respected. 

(else-if direction)Let P be a property for which there does not exist a 
property P’ such that P' C P and P’ G £-safety. There must exist a sequence 
a P such that ^dr^crirGPA r.last G {V UC}A ^ 3 r' A r : P(r') . If 
r this is the input sequence, the monitor cannot enforce the property since 
there is no valid prefix upon which it can abort the execution. □ 
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